[pkg-ntp-maintainers] Exploitable NTP server used for an attack

Bob Proulx bob at proulx.com
Fri Feb 21 19:45:37 UTC 2014 

Hello NTP Maintainers,  Please CC me on replies.

Is it possible to turn on monlist remotely?

I was just notified by that one of the machines I help administer was
used in an NTP DDoS attack.  Inspection shows that the system was
vulnerable.  It was a stock Squeeze system fully up to date running
the package delivered ntp.conf file.  The ntp package version and
ntp.conf were identical to other systems.  And yet it was reporting
responds when querying it remotely just the same.  How is that possible?

After coming up empty on why I decided to do nothing other than to
restart the ntpd.  (All of .177, .182, and .188 are the same host.)

Before:

  rwp at dismay:~$ ntpdc -n -c monlist ns2
  remote address          port local address      count m ver rstr avgint  lstint
  ===============================================================================
  132.163.4.103            123 66.54.153.177      41040 4 4      0    949     382
  66.54.153.1              123 66.54.153.188      41173 4 4    1d0    946     468
  66.135.44.92             123 66.54.153.177      40996 4 4      0    950     715
  66.54.153.28             123 66.54.153.188      41173 4 4    1d0    946     820
  162.210.249.218        41150 66.54.153.182          1 3 4      0 440987  440987
  50.116.62.188          52583 66.54.153.177          1 3 4      0 690801  690801
  58.215.177.51          45969 66.54.153.182          4 3 4      0 653639 2407879

Restart:

  ns2:~# service ntp restart
  Stopping NTP server: ntpd.
  Starting NTP server: ntpd.

After:

  rwp at dismay:~$ ntpdc -n -c monlist ns2
  ns2: timed out, nothing received
  ***Request timed out

The configuration contains:

  restrict -4 default kod notrap nomodify nopeer noquery
  restrict -6 default kod notrap nomodify nopeer noquery
  restrict 127.0.0.1
  restrict ::1

The rest of the file is the same as if the package were purged and
then installed again fresh with the exception of the addition of two
local server lines for local timeservices.  I did not modify the
ntp.conf file but only restarted the ntp service.  After restart it is
no longer reporting monlist?  Any ideas on how that is possible?

And so I wonder if it is possible to turn on monlist remotely?

Unfortunately by restarting the ntpd I have lost the test case that
was producing the problem.  Fortunately however it appears to no
longer be vulerable to participating in a DDoS.  Unless there is a way
to enable this feature remotely?  I fear this may be one of those
reproducible results that never makes sense.

Thanks,
Bob

More information about the pkg-ntp-maintainers mailing list